I am currently working my way through the AWS Certified Solutions Architect - Associate (SAA-C02) Linkedin Learning course and I came across something confusing regarding security groups. During the lecture, the lecturer says that when using security groups:
We evaluate all rules before deciding whether to allow traffic
As opposed to how NACLs work, where you stop processing once a rule matches.
But at the end of the lecture, the summary says the following:
It is important to get the order of rules correct or the desired permissions will not be accomplished
I don't understand this. If all rules are evaluated, then why would their order matter? Furthermore, security groups only support allow rules. There is no case of one rule allowing traffic and another one denying it.
CodePudding user response:
There can be multiple Security Groups on a resource. When evaluating Security Groups, access is permitted if any security group rule permits access. If no Security Group rule permits access, then access is Denied.
There is only one Network Access Control List (NACL) on a subnet. When evaluating a NACL, the rules are evaluated in order. There is a default rule that is evaluated last, which determines whether the default is Allow or Deny.
I agree with you that the lecturer's statement appears inaccurate.